All Activity

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. These errors appear when the remote installation task of NAgent or KES with NAgent was created with the Assign package installation in Active Directory group policies option selected. At the first startup they start under the account specified in the New Task Wizard. If that user has access for creating domain policies and groups, the task will be completed successfully, and "GPO" and "Security Group" with target computers will be created on domain controller. When deleting this task, the user credentials entered in the task settings are used. If they are changed, or if the task is being deleted by another user who does not have sufficient rights in the domain, or if the user who created the task has lost its rights, the errors will occur: Error in EventLog Failed to delete group policy object 'LDAP://CN={1DEE8F3C-F36F-4FF7-8E18-01C83D482A44},CN=Policies,CN=System,DC=bn,DC=loc': 'System error 0x52E (The user name or password is incorrect.)' Error in EventLog Failed to delete group policy object 'LDAP://CN={1DEE8F3C-F36F-4FF7-8E18-01C83D482A44},CN=Policies,CN=System,DC=bn,DC=loc': 'Access is denied.' To fix it, you need to change the user in the task settings to the one with sufficient rights to delete "GPO" and "Security Group" on domain controller.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This is a small guide about Chrome Developer tools for collecting logs. 1. Open the Chrome menu and select More tools → Developer tools or press Ctrl+Shift+I. 2. Temporarily ignore the opened sidebar and open KSC Web Console. 3. Sign in using correct credentials. Wait until the page loads. If the loading of the page takes too long, wait a minute before moving on to the next step. 4. On the DevTool sidebar, go to the Network tab. Press the Export HAR... button and save the file. 5. Also, you may save the log on the Console tab. Just right-click on a clear space and select Save as...

You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded. This article is applicable only to KATA 4.1/5.0 Images names for 4.1: CentOS7_x64, WinXP, Win7_x64, Win10_x64 Images names for 5.0: Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64 KATA 4.1 sets KATA 5.0 sets Prior to do steps below ensure that this option is enabled (under Security officer) Step-by-step guide Execute the following command under root (this is example, you can choose VM images as it suits you) For 4.1 apt-settings-manager set --merge /configuration/kata_scanner '{"sandbox": {"images": ["CentOS7_x64", "Win10_x64"]}}' For 5.0 console-settings-updater set --merge /kata/configuration/product/kata_scanner '{"sandbox": {"images": ["Astra_x64", "Win7_x64", "Win10_x64"]}}' Check that the settings have been applied: SB self-diagnostics error at KATA web-interface should disappear. Check that SB processing works fine. Consequences You will see error under Administrator: and under Security officer (in KATA 5.0) No need to worry, as the workaround described has consequences.

It is impossible to detect .bat and .cmd files by format, because these are regular plain text files. If you want to block attachments, you can only configure detection of these files by masks: *.bat, *.cmd. Please check the section "Configuring the general settings and conditions of rules" of the sites https://support.kaspersky.com/KS4Exchange/9.6/en-US/166855.htm Add a condition for the Attachment filtering rule and select File name mask instead of File format and then add *.bat or *.cmd to the list.

Administrator receives the notification about outdated anti-spam (AS) and/or anti-virus (AV) bases because a large time interval for updating AS and/or AV databases is set (every 5 hours or more for AS and every 24 hours or more for AV). Anti-spam and anti-virus bases should be updated much more often. Accordingly, Kaspersky Security Center should also update anti-spam and anti-virus bases more frequently. The best way is to update anti-spam bases directly via Internet from Kaspersky Update servers every 5 minutes. Anti-virus bases should be updated every 1 hour. If it is not possible, try to update Kaspersky Security Center and Kaspersky Security for Microsoft Exchange anti-spam bases every 30 minutes or every 1 hour, but in this case you should not expect a high spam detection rate.

они несколько раз ее решали, я не первый год на этом форуме и помню эти истории. Только потом проблема опять выплывала через какое-то время. В конце концов его добавили в список несовместимых. Просто это было пассивное добавление, которое ни к чему не обязывало. Ну а в последней версии об этом стали явно предупреждать. Вопрос в том, это только предупреждение при установке, которое можно обойти или продукт будет теперь периодически об этом напоминать?

Description If you need to know the name of the standard KSC service account (KL-AK...) that has been created during installation, it is stored in the registry key. This information can be viewed in the registry, using the following paths: for 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0 for 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0 this key is called AutoCreatedServiceAccount. It can also be quickly obtained with the following commands: For 64-bit systems reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0" /v AutoCreatedServiceAccount For 32-bit systems reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0" /v AutoCreatedServiceAccount

There are 2 types of installer within:https://www.kaspersky.com/small-to-medium-business-security/downloads/internet-gateway?icid=gl_sup-site_trd_ona_oth__onl_b2b_klsupport_tri-dl____gateway___ Version 6.1.0.4762 | Red Hat Enterprise Linux | Localization package Version 6.1.0.4762 | Red Hat Enterprise Linux | Distributive What' the difference between these two packages? Localization package is something you install additionally after installing distributive (application package) to get the local language (for example, Japanese). You can see the order here: https://support.kaspersky.com/KWTS/6.1/ja-JP/174936.htm There is no help page for "Installing the localization package" but it's just 'rpm -i'.

The table below contains the criteria for Kaspersky Security for Microsoft Exchange Servers 9.0 MR6 settings health check. Using the settings as specified in the table ensures meeting the recommended security level of the system. № Parameters (settings) to check Check criterion Expected result 1 Anti-Virus protection for the Transport Hub role 1.1. Anti-Virus protection is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Virus scan settings the Enable anti-virus protection for the Hub Transport role option is selected 1.2. The Delete object action has been set for infected objects In the node Server protection → Protection for the Transport Hub role → Anti-Virus scan settings the Delete object option is selected for infected objects 2 Virus scan of mailboxes 2.1. Scan is enabled In the node Server protection → Protection for the Mailbox role → Anti-Virus scan settings the Enable anti-virus protection for the Mailbox role option is selected 2.2. The Delete object action has been set for infected objects In the node Server protection → Protection for the Mailbox role → Anti-Virus scan settings the Delete object is selected for infected objects 2.3. Periodic scan task run has been configured In the node Server protection → Protection for the Mailbox role → Protection for mailboxes all required mailbox storages are selected (Protected mailbox storages) the task schedule has been defined (Background scan → Schedule) 3 General Anti-Virus protection settings 3.1. Interaction with KSN (KPSN) is enabled for the Anti-Virus module In the node Settings → KSN Settings the I accept the KSN Statement option. Use Kaspersky Security Network or Use Kaspersky Private Security Network (KPSN) option is selected In the node Server protection → Advanced Anti-Virus settings the Use Kaspersky Security Network option is selected 3.2. Scanning of archives and containers is enabled In the node Server protection → Advanced Anti-Virus settings the Scan attached containers/archives option is selected the default value (32) is set for the Scan attached containers/archives with nesting level not higher than setting 4 Anti-Spam and Anti-Phishing scan Anti-Spam parameters are configured 4.1. Anti-Spam is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Enable anti-spam scanning of messages option is selected 4.2. SCL rating is in use (only if the "Skip" action is selected) In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Add SCL value option is selected for Spam, Potential spam and Blacklisted If mass mailings need to be put into the spam folder: the Add SCL value option is selected for Mass mailing Anti-Phishing parameters are configured 4.3. Anti-Phishing scan is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Enable anti-phishing scanning of messages option is selected 4.4. SCL rating and PCL rating are in use (only if the "Skip" action is selected) In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Add SCL and PCL rating option is selected for Phishing Parameters for interaction with KSN (KPSN) are configured 4.5. Interaction with KSN (KPSN) for Anti-Spam and Anti-Phishing scans is enabled In the node Settings → KSN Settings the I accept the KSN Statement option. Use Kaspersky Security Network or Use Kaspersky Private Security Network (KPSN) option is selected In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Use Kaspersky Security Network option is selected 4.6. Reputation Filtering service is enabled (only if there is interaction with KSN) In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Use Reputation Filtering option is selected 4.7. Enforced Anti-Spam Updates Service is enabled In the node Server protection → Protection for the Transport Hub role → Anti-Spam scan settings the Use Enforced Anti-Spam Updates Service option is selected 5 Database update and network settings 5.1. Automatic update of anti-virus databases is enabled Recommended interval – 1 hour In the node Updates → Update databases of Anti-Virus → Run mode the Periodically value is set to every hour 5.2. Automatic update of Anti-Spam databases is enabled Recommended interval – 5 minutes In the node Updates → Anti-Spam databases update → Run mode the Periodically value is set to every 5 minutes 5.3. Proxy server has been configured for database update (if update sources are accessed through a proxy) In the node Settings → Proxy server settings proxy server settings have been defined In the node Settings → Connection settings the Use proxy server option is selected 5.4. Proxy server has been configured for KSN and the Enforced Anti-Spam Updates Service (if KSN is accessed through a proxy) In the node Settings → Proxy server settings proxy server settings have been defined the Use a proxy server to access KSN, Enforced Anti-Spam Updates Service, and Kaspersky Lab activation servers option is selected 6 Licensing License key is active In the node Settings → Licensing the license key has an active status

Problem: When deploy the SVM of KSV LA on the vSphere 6.5, the following error may occur: Reason： This issue occurs because vCenter Server cannot detect any vSAN storage provider. There is no way to detect vSAN storage provider if no hosts are available when vCenter Server starts. Note: vSAN storage provider cannot be recognized automatically even after host start working properly. Workaround: This is a known issue affecting vCenter Server. To workaround this issue, you have the following options: 1. Initiate synchronizing vSAN storage provider by clicking icon for synchronization in the page: vCenter Server -> Configure -> Storage Providers 2. Make sure at least one host is working when starting vCenter Server.

Вот поэтому и хочется прояснения ситуации от официального лица компании Касперский. Потому что в таком случае я могу тоже таких вопросов сомнений много начать задавать.

Download KES distributive Unpack to the folder Copy patch .msp file (i.e. pf1794.msp) to the same folder In KSC create Installation package using the files from this folder Install

How to connect to KWTS via SSH or receive the files via SCP? Below are the examples of using Putty and WinSCP tools. In the puttygen utility (from the Putty package): Type of the key to generate: RSA. Generate the key. Protect the key with a password (key passphrase). Save the private key. Copy the public key from the field "Public key for pasting into OpenSSH authorized_keys file" In the KWTS web interface: Paste the copied public key into the SSH key field https://support.kaspersky.com/KWTS/6.1/en-US/183526.htm In Putty: Specify the KWTS address for connection. In the "Category" field on the left, open: Connection - SSH - Auth. Click "Browse" and select the .ppk file of the private key. Connect to the KWTS node. Specify root user account. Enter the password for the key from step 1. In WinSCP: Specify the KWTS address for connection. In the "Advanced..." drop-down list, select Advanced. In the left frame, select Authentication in the "SSH" section. In the "Authentication parameters» section, specify the .ppk of the private key in the "Private key file" field. Click OK. Connect to the KWTS node. Specify root user account. Enter the password for the key from step 1.

KSO365 is a cloud solution. It does not work in the cloud by itself but together with Microsoft Exchange Online (EOL) and its anti-spam and anti-virus protection. In more than 95% of cases, Microsoft Forefront (Ff) performs the spam and virus scans first, due to Microsoft's cloud architecture. Thus, if Ff has identified an email as spam, virus, phishing, etc., and has done with it any action (according to the settings) except “Skip”, we do not check this email and do nothing with it. We cannot change the verdicts given by other applications. If an email went to the user's box without Ff detects or with the “Skip” action, KSO365 comes into play. It performs all the scans that the user has enabled, gives its verdicts and performs the actions configured by the user. Special mention should be made of the SCL parameter, which is necessary when working with spam detection. This is the only general letter parameter that KSO365 can change but only upwards.

To install the solution in the silent mode, run the command line with administrator rights and execute the following command: msiexec /i "<PATH_TO_MSI>" /qn ADDLOCAL="<FEATURES>" SQL_SERVER_NAME="<SQL_SERVER_NAME>" BACKUP_DATABASE_NAME="<DATABASE_NAME>" SQL_ACCOUNT_DLG_USER_TYPE="UserAccount" SQL_ACCOUNT_DLG_USER="<UserName>" SQL_ACCOUNT_DLG_PASSWORD="<Password>" SERVICE_ACCOUNT_DLG_USER_TYPE="UserAccount" SERVICE_ACCOUNT_DLG_USER="<UserName>" SERVICE_ACCOUNT_DLG_PASSWORD="<Password>" INSTALLDIR="<INSTALLATION_DIRECTORY>" DATADIR="<DATA_DIRECTORY>" /l*vx "<LOG_FILE_PATH>" <PATH_TO_MSI> - path to the installer msi file. For example, "c:\temp\kse80_en_us.msi" <FEATURES> - list of components. Examples: All components: Anti-Spam, Anti-Virus for hub, Anti-Virus for mailbox, DLP, Administration console: "Antispam,AvVsapi,Antivirus,AdminConsole,Service,Feature.Complete" Console only: "AdminConsole,Feature.Complete" Anti-Spam only: "Antispam,Service,Feature.Complete" Only Anti-Virus on Hub: "Antivirus,Service,Feature.Complete" Only Anti-Virus on Mailbox: "AvVsapi,Service,Feature.Complete" The Feature.Complete component must always be incuded. The Service component must be included in all cases except for Console only installation. <SQL_SERVER_NAME> - MS SQL SERVER name. For example, MYSERVER\SQLEXPRESS. It is not possible to use a dot to specify a current server. <DATABASE_NAME> - name of the database. For example, "SecurityForExchange". Parameters SQL_ACCOUNT_DLG_USER_TYPE, SQL_ACCOUNT_DLG_USER and SQL_ACCOUNT_DLG_PASSWORD are used for specifying a user account for accessing the SQL Server. If they are not specified, the application will use the parameters of the account under which installation is performed. Example: SQL_ACCOUNT_DLG_USER_TYPE="UserAccount" SQL_ACCOUNT_DLG_USER="Domain\Username" SQL_ACCOUNT_DLG_PASSWORD="Password" Parameters SERVICE_ACCOUNT_DLG_USER_TYPE, SERVICE_ACCOUNT_DLG_USER and SERVICE_ACCOUNT_DLG_PASSWORD are used for specifying a user account under which the application service will run. If they are not specified, the service will run under the Local System account. Example: SERVICE_ACCOUNT_DLG_USER_TYPE="UserAccount" SERVICE_ACCOUNT_DLG_USER="Domain\Username" SERVICE_ACCOUNT_DLG_PASSWORD="Password" <INSTALLATION_DIRECTORY> - path to the installation folder, by default: %ProgramFiles(x86)%. <DATA_DIRECTORY> - path to the data folder. By default it is located in the installation folder. <LOG_FILE_PATH> - path to log files, for example, "c:\temp\kseinstall.log"

Description When installing or upgrading KSE, you may encounter various issues when installing or starting our service. If a user has repeated the installation many times and changed many settings manually, we recommend to remove KSE completely using the instructions below. Cause There are files that remain in the system from a previous KSE installation, so a new installation cannot be successful. Solution Delete the remaining KSE files from the Exchange server manually. Follow the instructions below. 1. Delete all the remaining KSE agents. To do so, start Exchange Management Shell and run the following command: Get-TransportAgent -TransportService FrontEnd If the KSE agent is on the list, run the command: Uninstall-TransportAgent -TransportService FrontEnd -Identity "Kaspersky Security antispam Frontend Cas agent" 2. Run the following command: Get-TransportAgent See what KSE agents are on the list. Run the command below for every KSE agent. For example: Uninstall-TransportAgent “Kaspersky Security routing antispam filter agent” Uninstall-TransportAgent “Kaspersky Security antispam filter agent” Uninstall-TransportAgent “Kaspersky Security antivirus filter agent” Insert the names of KSE agents from your list. 3. Restart the Transport Agent service using the command: Restart-Service "MSExchangeTransport" 4. To make sure that there are no more KSE agents, run the following commands again: Get-TransportAgent -TransportService FrontEnd and Get-TransportAgent 5. Set Disabled for Kaspersky Security For Microsoft Exchange Servers service startup and stop our service. 6. Import the removeregkeys.zip archive to the registry. 7. Restart the MSExchangeIS service: restart-Service MSExchangeIS 8. Remove the folder where KSE was installed. If possible, restart the server.

Description When trying to deliver any message from Backup, the following error occurs: Facade::DeliverMessage failed. [0xeceb0013] Details: Cannot create temporary file, code: 0xeceb0013. Solution Add to the /usr/lib/tmpfiles.d/tmp.conf file the following exclusions: x /tmp/klms* x /tmp/klmstmp/ x /tmp/klms_filter/ x /tmp/klmstmp/* x /tmp/klms_filter/* Restart the klms service. If the issue persists, send a screenshot of the information from the web interface to Kaspersky Support. Click System information - Create and take a screenshot.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. When troubleshooting typical KSC issues, you will likely need to check the availability of TCP port 13000 on the KSC Server. Both telnet and akconnect tools can be used to achieve this. Syntax is very simple: akconnect host port Examples: akconnect.exe 192.168.1.19 13000 >akconnectoutput.txt telnet 192.168.1.19 13000 >telnetoutput.txt Where 192.168.1.19 is the IP address or DNS name of the KSC Server and 13000 is the port number. Results will be logged to .txt files that should be sent to Kaspersky support for verification. Please be advised that telnet is not installed by default in the recent versions of Windows. You can add it using the appwiz.cpl→Add feature. You can download the akconnect utility here.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. If two different update agents on a PC are assigned in different ways: To an administration group. Based on a network location. Which one will have a higher priority for the PC? Among the update agents assigned to administration groups, the one assigned to the administration group, that is closest to the target host in the group hierarchy, has the higher priority. If the update agents are assigned to the same group, they have an equal priority. The priority of update agents assigned based on the network location is equal to the priority of the nearest update agent in the group hierarchy. If two update agents have the same priority, the one, the route to which is closer in the number of passed routers, is selected. If two update agents have the same priority and the network distance to them is the same, the agent is selected randomly.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Dynamic hosts require more KSC resources than regular hosts. When a new host is connected to KSC (and the dynamic host is considered new), an icon and a new entry in the database are created, full synchronization with the agent is performed, and the host moved to a group. When the host is deleted, all information about it is deleted as well. These operations consume a lot of KSC resources, while static hosts require them to be performed only once. Recommended sizing (no more than 20 000 VDI hosts) may not be fully and correctly loaded. In industrial use, for each icon the following network lists are created: - hardware - installed software - detected vulnerabilities - events and lists of executable files of the Application control component. Size of these lists directly affects KSC performance as well as SQL server performance when performing internal procedures, and the load may grow in the non-linear way. If the use of the solution with your policy settings, environment and virtual desktop properties shows moderate consumption of resources during standard operations, then the number of managed VDI hosts can be increased up to the limit of resources available in the current configuration. Consumption of 80% of memory and 75-80% of available cores is considered moderate.

Problem After "Nessus" vulnerability scanning on Central node 4.0 servers, you may see the following: Ports: 22-tcp Description: The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes: diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 gss-gex-sha1-* gss-group1-sha1-* gss-group14-sha1-* rsa1024-sha1 This is about a IETF proposed standard (formerly a draft) introduced in January 2022 after KATA 4.0 release. These IETF recommendations are addressed in KATA version 5.0. Solution Disclaimer This security hardening procedure is done "at your own risk", at the present moment we don't suggest to apply it preemptively. KATA 4.0 has OpenSSH_7.4p1, OpenSSL 1.0.2k-fips. This version supports newer Key Exchange (KEx) algorithms, so disabling weaker ones doesn't pose a problem. However, the list of key exchange algorithms that are accepted by GSSAPI key exchange for this version have only the ones that are named weak by the IETF draft, man SSHD_CONFIG(5) says: GSSAPIKexAlgorithms The list of key exchange algorithms that are accepted by GSSAPI key exchange. Possible values are gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1- Therefore, the only option to remove these in OpenSSH_7.4p1, is to disable GSSAPI key exchange. GSSAPI however is used by Kerberos authentification, so the possible impact is that Kerberos integration may be affected after these changes. So, in order to achieve the desired result: Open /etc/ssh/shh_config #vi /etc/ssh/shh_config Locate the line GSSAPIAuthentication yes Change it to "no": GSSAPIAuthentication no Add (or uncomment) the line GSSAPIKeyExchange no Add the line defining the KEX algorithms to be used. These are all the algorithms supported by existing version of OpenSSL except the weak ones: KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org Exit vi and save :wq! Restart sshd #systemctl restart sshd Confirm applied changes by listing the loaded gssapi settings and KEX algorithms. # sshd -T | grep kex # sshd -T | grep gssapi

Access to the Microsoft quarantine is carried out immediately after the issuance of the consent. Additional quarantine access accounts, that were subject to the MFA restriction in the previous versions, are no longer required for quarantine access. The connection is carried out using the application to which the consent is issued.

Why are emails detected by Microsoft Exchange Online not being detected by KS365? Because "first come, first served"? Yes. In more than 95% of cases, Microsoft Exchange anti-malware and anti-spam filters are processing all objects before KS4O365. That being said, all the detections performed by our application are actually detections of mail flow that has already been scanned by Microsoft filters if they are not disabled. If some email was already scanned and quarantined by Microsoft, then we do not receive it for scanning, as it was already done on the Microsoft side.

If multiple e-mails are selected in Security for Microsoft Office 365, they cannot be saved to disk. You can only save them one by one.

If anti-spam detects an e-mail as not definitely categorized as clean, it moves the e-mail to the "Temporary Quarantine" for 50 minutes to re-scan it with updated anti-spam databases. If upon after this 50 minutes' time the e-mail is not defined as spam, it is released automatically without any interaction with the user. The administrator has an option to manually release such e-mails from "Temporary Quarantine" before the 50 minute period ends. At the same time, the e-mail will remain in quarantine with the status "Released".